SPAKE PreauthenticationΒΆ
SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against password dictionary attacks. Unlike PKINIT, it does not require any additional infrastructure such as certificates; it simply needs to be turned on. Using SPAKE preauthentication may modestly increase the CPU and network load on the KDC.
SPAKE preauthentication can use one of four elliptic curve groups for
its password-authenticated key exchange. The recommended group is
edwards25519
; three NIST curves (P-256
, P-384
, and
P-521
) are also supported.
By default, SPAKE with the edwards25519
group is enabled on
clients, but the KDC does not offer SPAKE by default. To turn it on,
set the spake_preauth_groups variable in [libdefaults] to a
list of allowed groups. This variable affects both the client and the
KDC. Simply setting it to edwards25519
is recommended:
[libdefaults]
spake_preauth_groups = edwards25519
Set the +requires_preauth and -allow_svr flags on client principal entries, as you would for any preauthentication mechanism:
kadmin: modprinc +requires_preauth -allow_svr PRINCNAME
Clients which do not implement SPAKE preauthentication will fall back to encrypted timestamp.
An active attacker can force a fallback to encrypted timestamp by
modifying the initial KDC response, defeating the protection against
dictionary attacks. To prevent this fallback on clients which do
implement SPAKE preauthentication, set the
disable_encrypted_timestamp variable to true
in the
[realms] subsection for realms whose KDCs offer SPAKE
preauthentication.
By default, SPAKE preauthentication requires an extra network round trip to the KDC during initial authentication. If most of the clients in a realm support SPAKE, this extra round trip can be eliminated using an optimistic challenge, by setting the spake_preauth_kdc_challenge variable in [kdcdefaults] to a single group name:
[kdcdefaults]
spake_preauth_kdc_challenge = edwards25519
Using optimistic challenge will cause the KDC to do extra work for initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used.